Overview
AWS Security and Compliance is one of the most heavily tested domains on the Cloud Practitioner exam, accounting for approximately 30% of exam questions. This guide covers the Shared Responsibility Model, Identity and Access Management, core security services, encryption concepts, and compliance tools. Mastering these topics requires understanding not just what each service does, but when and why to use each one.
---
1. The Shared Responsibility Model
Core Concept
The Shared Responsibility Model divides security duties between AWS and the customer. A simple way to remember it: AWS secures the cloud itself; customers secure what they put IN the cloud.
AWS Responsibilities ("Security OF the Cloud")
• Physical data center security
• Hardware and networking infrastructure
• Hypervisor and virtualization layer
• Managed service underlying infrastructure (e.g., RDS engine patching)
Customer Responsibilities ("Security IN the Cloud")
• Operating system patching (for EC2 and self-managed services)
• Application-level security
• Data encryption (at rest and in transit)
• Identity and access management (IAM users, MFA)
• Network configuration (Security Groups, NACLs)
Shared Controls
Some responsibilities are shared, meaning both parties contribute:
• Patch Management – AWS patches infrastructure; customers patch their OS and apps
• Configuration Management – AWS configures infrastructure; customers configure their services
• Awareness and Training – Each party trains their own employees
Service Type Matters
| Service Type | Customer Manages More | AWS Manages More |
|---|---|---|
| EC2 (IaaS) | OS, DB, runtime, app, data | Physical hardware |
| RDS (Managed) | Data, access control | OS, DB engine patching |
| Lambda (Serverless) | Code, IAM, data | Everything else |
Key Terms
• Shared Responsibility Model – Framework dividing security tasks between AWS and customers
• Managed Service – AWS service where AWS takes on more operational responsibility
• IaaS – Infrastructure as a Service; customer has most control and most responsibility
Watch Out For
> ⚠️ Exam Tip: RDS vs. EC2 is a classic exam trap. On RDS, AWS patches the database engine. On EC2, YOU patch everything. Know which tasks shift when moving to a managed service.
>
> ⚠️ MFA is always the customer's responsibility to enable — AWS never forces it on your behalf.
---
2. Identity & Access Management (IAM)
Core Concept
IAM is the foundation of AWS security. It controls who can do what on which AWS resources. IAM is global (not region-specific) and free to use.
Root Account
• Created when you first open an AWS account
• Has unrestricted access to everything
• Best Practice: Lock it away — enable MFA, do not create access keys, use only for tasks requiring root (e.g., closing the account, changing support plans)
IAM Building Blocks
#### IAM Users
• Represents an individual person or application
• Has long-term credentials (username/password or access keys)
• Should follow the Principle of Least Privilege
#### IAM Groups
• A collection of IAM users
• Policies attached to a group apply to all members
• Users can belong to multiple groups
• Groups cannot be nested (no groups within groups)
#### IAM Roles
• Provides temporary security credentials
• Used by: EC2 instances, Lambda functions, federated/external users, cross-account access
• No long-term credentials stored — credentials are automatically rotated
• Best Practice: Use roles instead of embedding access keys in applications
#### IAM Policies
• JSON documents defining permissions
• Specify: Effect (Allow/Deny), Action (what), Resource (which AWS resource)
• Types: AWS Managed, Customer Managed, Inline
• Explicit Deny always overrides Allow
Principle of Least Privilege
Grant only the minimum permissions needed to perform a task — nothing more. Start restrictive and add permissions as needed.
IAM Identity Center (Formerly AWS SSO)
• Centralized Single Sign-On (SSO) for multiple AWS accounts and business applications
• One set of credentials to access everything
• Integrates with external identity providers (Microsoft Active Directory, Okta)
• Ideal for organizations managing multiple AWS accounts via AWS Organizations
Key Terms
• IAM Policy – JSON document defining what actions are allowed/denied
• Principle of Least Privilege – Grant minimum necessary permissions
• IAM Role – Temporary credentials for AWS services or federated users
• MFA (Multi-Factor Authentication) – Additional verification layer; customer's responsibility to enable
• Federation – Allowing external identities (e.g., corporate Active Directory) to access AWS
Watch Out For
> ⚠️ Roles vs. Users: If a question involves an EC2 instance needing access to S3 or another service, the answer is almost always an IAM Role — never hard-code access keys into an application.
>
> ⚠️ Groups cannot assume roles and groups cannot contain other groups. Groups are only for organizing IAM Users.
>
> ⚠️ An explicit Deny in any policy will override any Allow — this is a frequent exam question.
---
3. Security Services & Tools
Threat Detection & Monitoring
#### AWS CloudTrail
• Records all API calls and account activity across your AWS environment
• Answers the question: "Who did what, when, and from where?"
• Used for: governance, compliance, auditing, troubleshooting
• Logs are stored in S3
• Enabled by default for the last 90 days; create a Trail for long-term retention
#### Amazon GuardDuty
• Intelligent threat detection using machine learning and threat intelligence feeds
• Analyzes: VPC Flow Logs, CloudTrail logs, DNS logs
• Detects: compromised EC2 instances, unusual API calls, cryptocurrency mining, data exfiltration
• No agents required — simply enable it
• Think of it as: "Active security alarm system"
#### Amazon Inspector
• Automated vulnerability scanning for:
- EC2 instances (OS vulnerabilities, network exposure)
- Container images in Amazon ECR
• Generates findings with a risk score and remediation guidance
• Think of it as: "Security health check for your workloads"
#### Amazon Macie
• Uses machine learning to discover and protect sensitive data in S3
• Detects: PII (Personally Identifiable Information), financial data, credentials
• Sends findings to Security Hub or EventBridge for action
• Think of it as: "S3 data privacy scanner"
DDoS Protection
#### AWS Shield Standard
• Free and automatic — available to all AWS customers
• Protects against common Layer 3 and Layer 4 (network and transport) DDoS attacks
• No configuration required
#### AWS Shield Advanced
• Paid service with enhanced protections
• Adds: real-time attack visibility, 24/7 DDoS Response Team (DRT) access, application layer protection
• Cost protection — AWS credits your bill for scaling costs during a DDoS attack
• Recommended for: business-critical, high-traffic applications
Web Application Protection
#### AWS WAF (Web Application Firewall)
• Filters HTTP/HTTPS traffic at Layer 7 (application layer)
• Protects against: SQL injection, cross-site scripting (XSS), bad bots, IP-based attacks
• Uses Web ACLs (Access Control Lists) with customizable rules
• Deploys on: CloudFront, ALB, API Gateway, AppSync
Centralized Security Management
#### AWS Security Hub
• Single pane of glass for security across AWS accounts
• Aggregates findings from: GuardDuty, Inspector, Macie, Firewall Manager, and third-party tools
• Checks compliance against standards: CIS AWS Foundations, PCI DSS, AWS Foundational Security Best Practices
• Think of it as: "Security dashboard that connects all the dots"
Key Terms Quick Reference
| Service | Primary Function | Think of it as… |
|---|---|---|
| CloudTrail | API activity logging | Security camera footage |
| GuardDuty | Threat detection | Alarm system |
| Inspector | Vulnerability scanning | Security checkup |
| Macie | S3 sensitive data discovery | Privacy scanner |
| Shield Standard | Free DDoS protection | Basic flood barrier |
| Shield Advanced | Enhanced DDoS + DRT | 24/7 security team |
| WAF | Web app traffic filtering | Website bouncer |
| Security Hub | Centralized findings | Security control room |
Watch Out For
> ⚠️ GuardDuty vs. Inspector vs. Macie: These are commonly confused.
> - GuardDuty = Threat detection (account-wide activity)
> - Inspector = Vulnerability assessment (EC2/containers)
> - Macie = Sensitive data in S3 specifically
>
> ⚠️ Shield Standard is free and automatic — you don't need to do anything to enable it.
>
> ⚠️ WAF does NOT protect against DDoS at the network layer — that's Shield's job. WAF protects against application-layer exploits.
---
4. Encryption & Key Management
Encryption Concepts
#### Encryption at Rest
• Protects stored data from unauthorized access
• Examples: encrypted S3 objects, encrypted EBS volumes, encrypted RDS databases
• Services: AWS KMS, CloudHSM
#### Encryption in Transit
• Protects data moving between systems from interception
• Uses SSL/TLS protocols
• Examples: HTTPS connections, encrypted data transfer between services
• Service: AWS Certificate Manager (ACM)
Key Management Services
#### AWS Key Management Service (KMS)
• Create, manage, and control encryption keys
• Integrated with most AWS services (S3, EBS, RDS, Lambda, etc.)
• Shared, multi-tenant managed service — AWS manages the hardware
• Supports: customer-managed keys (CMKs) and AWS-managed keys
• All key usage is logged in CloudTrail
#### AWS CloudHSM
• Dedicated hardware security module — single-tenant, physically isolated
• YOU have exclusive control of keys; AWS cannot access them
• Meets strict regulatory requirements (FIPS 140-2 Level 3)
• More control and compliance capability than KMS, but requires more management
• Use when: regulations require exclusive key control or dedicated hardware
#### AWS Certificate Manager (ACM)
• Provisions and automatically renews SSL/TLS certificates
• Free for certificates used with AWS services
• Integrates with: CloudFront, ALB, API Gateway
• Eliminates manual certificate renewal headaches
KMS vs. CloudHSM Comparison
| Feature | AWS KMS | AWS CloudHSM |
|---|---|---|
| Tenancy | Multi-tenant (shared) | Single-tenant (dedicated) |
| Key Control | AWS manages hardware | Customer has full control |
| Management | Fully managed | Customer manages HSM cluster |
| FIPS Level | 140-2 Level 2 | 140-2 Level 3 |
| Cost | Pay per API call | Hourly instance cost |
| Best For | Most use cases | Strict compliance/regulatory needs |
Key Terms
• Encryption at Rest – Protecting stored data
• Encryption in Transit – Protecting data being transmitted (SSL/TLS)
• KMS – AWS-managed key management service
• CloudHSM – Dedicated hardware for key management with exclusive customer control
• ACM – Automated SSL/TLS certificate management
• CMK (Customer Managed Key) – Encryption key you create and control in KMS
Watch Out For
> ⚠️ KMS vs. CloudHSM: KMS is the default answer for most encryption scenarios. Choose CloudHSM only when the question mentions dedicated hardware, single-tenant, or exclusive key control requirements.
>
> ⚠️ ACM certificates are free when used with AWS services but cannot be exported for use on non-AWS servers.
---
5. Compliance & Governance
Compliance Resources
#### AWS Artifact
• Self-service portal for AWS compliance documentation
• Provides on-demand access to:
- Compliance reports: SOC 1/2/3, PCI DSS, ISO 27001, FedRAMP
- Security agreements: Business Associate Agreements (BAA) for HIPAA
• No cost to use
• Think of it as: "AWS's compliance document library"
#### HIPAA Compliance
• HIPAA = Health Insurance Portability and Accountability Act (US healthcare data privacy)
• AWS offers a HIPAA-eligible services list and signs BAAs (Business Associate Agreements)
• Customers must configure eligible services correctly — compliance is still shared
Infrastructure Governance
#### AWS Config
• Continuously monitors and records AWS resource configurations
• Answers: "What did my infrastructure look like at a given point in time?"
• Evaluates resources against Config Rules (compliance checks)
• Detects configuration drift and sends alerts
• Think of it as: "Compliance history and change tracker"
#### AWS Organizations & Service Control Policies (SCPs)
• AWS Organizations – Centrally manage multiple AWS accounts
• SCPs (Service Control Policies) – Define maximum available permissions for member accounts
- Even if an IAM admin in a child account grants full access, the SCP can block it
- SCPs do NOT grant permissions — they only restrict what's possible
- Applied at the Organization Unit (OU) or account level
• Think of SCPs as: "A permission ceiling for entire accounts"
Network Security
#### VPC Security Groups
• Act as a virtual stateful firewall at the EC2 instance level
• Stateful = return traffic is automatically allowed (you only need to set inbound rules for typical web traffic)
• Default: deny all inbound, allow all outbound
• Rules are allow-only — you cannot explicitly deny specific IPs in a Security Group
#### Network ACLs (NACLs)
• Act as a stateless firewall at the subnet level
• Stateless = you must explicitly allow both inbound AND outbound traffic
• Rules are numbered and processed in order (lowest number first)
• Support both allow and deny rules
• Default NACL allows all traffic; custom NACLs deny all by default
#### AWS Secrets Manager
• Stores, rotates, and manages secrets (API keys, database passwords, credentials)
• Built-in automatic rotation for RDS, Redshift, DocumentDB credentials
• Differs from SSM Parameter Store (simpler, cheaper, but no built-in auto-rotation for non-SSM services)
Security Group vs. NACL Comparison
| Feature | Security Group | Network ACL |
|---|---|---|
| Level | Instance level | Subnet level |
| State | Stateful | Stateless |
| Rules | Allow only | Allow and Deny |
| Return Traffic | Automatically allowed | Must explicitly allow |
| Rule Processing | All rules evaluated | Rules processed in number order |
Key Terms
• AWS Artifact – On-demand compliance reports and agreements portal
• AWS Config – Resource configuration monitoring and compliance tracking
• SCP (Service Control Policy) – Maximum permission boundary for AWS Organization accounts
• Security Group – Stateful instance-level firewall
• NACL – Stateless subnet-level firewall
• AWS Secrets Manager – Managed secrets storage with auto-rotation
• HIPAA / BAA – US healthcare compliance framework and agreement
Watch Out For
> ⚠️ Security Groups vs. NACLs: The key distinction is stateful vs. stateless.
> - Security Group = stateful (like a smarter bouncer who remembers you came in)
> - NACL = stateless (checks both directions independently every time)
>
> ⚠️ SCPs restrict but do NOT grant permissions. Even if an SCP "allows" an action, a user still needs an IAM policy that allows it too.
>
> ⚠️ AWS Config tracks configuration changes and compliance — it does NOT enforce or prevent changes. It's observational.
>
> ⚠️ **CloudTrail vs. AWS